-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/20/2011 08:45 AM, Qwyjibo Jones wrote: > Sorry, one more question... > > Does the MLS policy shipped with RHEL 6 have the separation? > > Thanks, > > On Wed, Jan 19, 2011 at 4:51 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx>> wrote: > > On 01/19/2011 04:44 PM, Qwyjibo Jones wrote: >> I don't seem to have the "allow_sysadm_manage_security" boolean. Do I >> need to create it somehow and put it under /selinux/booleans ? > >> # getsebool -a | grep allow_sysadm_manage_security >> # getsebool -a | grep allow_sysadm >> # getsebool -a | grep sysadm >> allow_httpd_sysadm_script_anon_write --> off >> ssh_sysadm_login --> off >> staff_read_sysadm_file --> off >> xdm_sysadm_login --> off > > > >> Thanks, > >> On Wed, Jan 19, 2011 at 3:11 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx > <mailto:dwalsh@xxxxxxxxxx> >> <mailto:dwalsh@xxxxxxxxxx <mailto:dwalsh@xxxxxxxxxx>>> wrote: > >> On 01/18/2011 01:03 PM, Qwyjibo Jones wrote: > >>> I am currently working with an Itanium2 system which has RHEL 5.3 MLS >>> installed. >>> I am trying to understand how separation of roles works in > SELinux/MLS >>> policy version 21. We have been told that we need to separate >> roles that >>> the sys admin is no longer allowed to do. > >>> After reading through these threads, in the archives I am still >>> wondering about a couple things: > > > > http://www.nsa.gov/research/selinux/list-archive/0504/thread_body66.shtml#11082 > >>> And this one: > > > http://www.nsa.gov/research/selinux/list-archive/0802/thread_body60.shtml > >>> 1) Is the RHEL 5.x MLS policy version 21 capable of the following >>> separation of sysadm_r and secadm_r roles: > >>> a) Can the secadm_r role be the only role that can assign > roles via >>> semanage? > >>> c) Can the secadm_r role be the only role that can control >> files used >>> in auditing, like auditd.conf. audit.rules, /etc/init.d/auditd etc... > >> auditadm_r:auditadm_t is only allowed to modify these files. > >>> 2) Is this better accomplished with a combination of SUDO and > SELinux? >> Since sysadm_t can hack his way around the SELinux controls via tools >> like rpm and fdisk, you are better off using sudo to further restrict >> his actions, if possible. >>> 3) How can I determine what secadm_r can do in the current >>> configuration? can any of the CLI tools show me that? ( no gui tools >>> available ) > >> You probably want to look at secadm_t > >> sesearch -A -t secadm_t > >>> If not, what about RHEL 6 ? ( I understand RHEL 6 is not available to >>> Itanium systems, but we may have new hardware soon) > >>> Any tips. hints, pointers etc... would be very helpfull. > >>> Thanks for your time, > > Oops I misread the policy, I guess we abandoned the separation. > > > ifdef(`enable_mls',` > > userdom_security_administrator(secadm_t,secadm_r,{ > secadm_tty_device_t sysadm_devpts_t }) > # tunable_policy(`allow_sysadm_manage_security',` > > userdom_security_administrator(sysadm_t,sysadm_r,admin_terminal) > # ') > > > Missed the "#" at the beginning of the lines. So I don't think we > prevent sysadm_t from managing the security, of course he has to be able > to run at SystemHigh. > One idea would be to build the separation into a separate module sysadm_secadm.pp then you could disable this module and take away the power of sysadm to do security administration. How important is this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk04RWcACgkQrlYvE4MpobNgkwCgrpfXVA3VACrLFueZjW6V5Gko YRsAoJsGGp76ODNFPSIhpl24h4D5KA6A =Ae9m -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
